Secure File Transfer is as simple as it sounds, the secure transfer of files. But the real questions revolve around why you need to securely transfer files, what happens if you don’t, and how the heck can we do it properly?
Fortunately, this blog is not about answering what Secure File Transfer is on such a simplistic level. Instead, we will talk about how to make file transfers secure and will touch upon these questions:
- Why do you need to securely transfer files?
- What happens if you don't transfer files securely?
- Which files need to be transferred securely?
- And how the heck do I do it?
Why Do you Need Secure File Transfer?
Intellectual property is the lifeblood of today's innovative enterprises. At the same time competition is fiercer than ever and your rivals would love to know what's happening at your company. But the biggest issue is that cybercriminals are growing in numbers and sophistication. Many cyberattacks, such as ransomware, are offered as-a-service so that these days any dummy can launch a successful ransomware attack or breach your data. Finally, Data Loss Prevention (DLP) is a key area because lost data is ultimately lost business – and potentially subject to massive compliance fines and business crushing publicity.
Much data is often at the most risk when it is in motion, such as when a file is transferred. This is why Secure File Transfer is an absolute must for any security-conscious enterprise.
EDI is Not the Answer
Secure File Transfer is certainly not new and major enterprises, especially those that fall under compliance regulations, have had their own approaches for many years. For the largest companies with lots of partners, Electronic Data Interchange (EDI) has been the answer. This longstanding technology has been key to sharing items such as invoices with trading partners. EDI can handle large volumes with many partners, and has been largely transaction oriented. EDI solves a different set of issues than Secure File Transfer solutions. In fact, what EDI exchanges are not really files per se.
Files are different. Files are not transactions but larger pieces of content, which can come in a variety of formats such as word documents, spreadsheets, PDF's, database records and all manner of unstructured data including image files. It is this unstructured data that EDI struggles with and fails at securing. In fact, experts believe that EDI, limited to transporting only structured data, handles only 20% of the data enterprises need to share, leaving the other 80% in the hands of Secure File Transfer solutions and other tools.
EDI also requires trading partners to agree on a data format. In many cases, the trading partner doesn’t support a particular format, thus requiring translation. This is where a Managed File Transfer (MFT) solution such as MOVEit from Progress comes in. MOVEit can handle these translations and incorporate the file transfers into the MOVEit MFT solution and workflows.
So now you've got me. But we haven't defined what Managed File Transfer (MFT) is yet. As the name implies, MFT is a method of transporting and transferring files and documents of many types. Unlike low-level solutions like Dropbox, MFT solutions can include automation to ease the transfer of a large volume of files, auditing to track whether files have been successfully sent, and security so that files are not tampered with or compromised. More on MFT later.
Other Wrong (and insecure) Way to Transfer Files
Email: Let’s start with perhaps still the most common way to transfer files – good old email. Email attachments once made life easy — and for pictures of your newborn, it still works just fine. But cybercriminals aren’t exactly jonesin for photos of little Johnny. But when the attachment contains unannounced company financials, email simply can't cut it.
At the same time, email isn't always reliable. How many times has your message been bounced or stuck in the junk mail folder? What if you key in the wrong address? Now someone you don't even know has those unannounced company financials and may well send them off to the competition. An email for file transfers is not scalable at all, and these days more and more email clients have file size limitations so you can't send larger files anyway. And how do you ensure your email and the attachment got to the recipient? Do you really rely upon return receipts? When was the last time that ever worked?
Thumb drives and disks: We're going to go way back in time and talk about using thumb drives and even disks to transport files. You're wondering what century I’m in, but the truth is some people still use this physical transport method to transfer files – and it is way scary and insecure. Almost no thumb drives are protected or encrypted, and anyone whose lap it drops into can see everything. Even worse, thumb drives are still a common virus carrier. Would you like some ransomware with that file? My guess is no one in your enterprise uses this approach, but if they do, make them stop immediately!
File Sync-and-Share: There are two types of File Sync-and-Share: enterprise class and consumer grade. Often these are the same solution — one free and with storage limits, the other paid with more storage and a bit (just a bit) more security.
There are many issues and concerns here. First, authentication is often rudimentary and easy to hack with multi-factor authentication being the exception rather than the rule. The notion that these systems sync between end user devices is another security hole. If an iPhone is syncing with Dropbox or Google Drive, anyone who grabs that phone can see the files.
Don't get me wrong, these are terrific solutions for common types of file sharing, and non-critical data can be exchanged this way without much worry. But critical data, confidential data and data covered by compliance rules should never be set about this way.
File Transfer Protocol (FTP): When we bandy about terms like ETI and FTP, you realize that file transfer solutions and technologies have been around for a while — decades in fact. FTP matches that definition and has long been a way that IT, power users, and business folks move large files in a way they believe to be secure. It has been a terrific technology and still makes sense for awful lot of use cases. It's just that Secure File Transfer isn't one of them.
FTP doesn't measure up security-wise and is not advisable for confidential data or anything that falls under compliance rules. There are other grave FTP shortcomings. When you need to move a lot of files, IT often relies upon scripts to automate the process. Scripts come with their own complications. First, someone must write the scripts which takes time, and someone should test the script to make sure it works as intended. But scripts are complicated to manage and are very often only understood by the person who wrote them — what happens if that person leaves your company?
While scripts offer a low level of automation, it really is not up to the volume of files your enterprise needs to send or the different types of transfers you likely require. In short, FTP is difficult to secure, tricky to automate, and cannot properly track and audit your file transfers.
The worst situation is to have a wide array of methods for transferring files. Here, copies of files are kept all over the place with no central oversight or security. It is a disaster waiting to happen.
What is Secure File Transfer Really? The MFT Answer
To be secure, a file transfer must be fully protected, meaning that it is encrypted at rest and that the transfer itself is tracked to ensure that it happened properly. In addition, anyone accessing the file transfer system should be authenticated, preferably through multi-factor authentication. We mentioned tracking, and this should be brought to a higher level where all your file transfers are audited and logged so that there is a complete record of all movements and any issues related to these transfers.
These issues are exactly why Managed File Transfer (MFT) technology was invented in the first place. In fact, we just largely defined what an MFT solution is — it is all the above.
With all these attributes, MFT can replace all or most of the methods you use today to transfer files. It's a single, secure, manageable automated solution with a single pane of glass to view all activities, which greatly reduces the risk of file transfers gone wrong. At the same time, your end users and IT are more productive through automation and that single pane of glass, creating a positive return on investment (ROI) compared to using an array of different and usually insecure and problematic
The Need to Encrypt Not Always Met
Many of the “secure” file transfer tools claim safety because they are not entirely wide open, requiring an account to be set up and a password to access them. That’s like saying your jewelry is safe because there is a single lock on the door, but the window is open. Without MFA, most anything can be hacked, and so it is with these purportedly secure offerings.
Your data should be protected even if a cybercriminal invades the file transfer system, and the only way to do that is by securing the data itself through encryption.
Even otherwise protected IT solutions such as databases behind a firewall with restricted end user access can be breached when those database files leave the DBMS and are exported or transferred. This can happen during the transfer or when the file is moved, say to a server, and is at rest there.
Good MFT solutions can always encrypt data.